THE recent ATM card skimming incident is a wake-up call for banks in Pakistan to ensure their customer’s data security against all possible threats.
The central bank, on its part, has reminded banks of their responsibility to implement all regulations of Payments Card Security (PCS) that it introduced back in June 2016.
Habib Bank Ltd, the bank whose depositors’ ATM cards were skimmed, has started compensating the affected customers. And the Federal Investigation Agency (FIA) is now investigating the matter.
Customers’ data security is one of the biggest challenges that banks the world over face. All central banks continue to strengthen regulations aimed at preventing a security breach
Customer data security is one of the biggest challenges that banks the world over face. And all central banks continue to strengthen regulations aimed at preventing a security breach.
But Pakistani banks have now become even more vulnerable. “We not only face threats from hackers who skim ATMs or manipulate online accounts just for swindling money, but also from organised hacking groups whose objectives are wider,” says the head of a local bank.
“Pakistan’s entire security establishment is walking a tight rope after entering into the CPEC [China-Pakistan Economic Corridor]. Foreign powers are making every effort to embarrass the country. We need to thoroughly investigate the real motives behind the recent skimming in the light of previous bank data stealing incidents in which some Chinese nationals were involved,” a well-placed source in the FIA told this writer.
“Last year, and then a few months ago, the FIA arrested Chinese nationals involved in stealing data from banks,” according to the remarks attributed to FIA deputy director Hameed Bhutto in a recent Dawn story.
In the current spate of ATM skimming, 296 customers of HBL have so far confirmed being defrauded, an aggregate loss of Rs10.2m, implied a press release issued by the State Bank of Pakistan (SBP) on Dec 5. The number of bank accounts affected, though, is around 600, according to newspaper reports.
Although HBL has started reimbursing depositors who lost their money, the reimbursement is being made after thoroughly verifying the claims of the victims, a senior bank official told this writer.
At this stage, it’s difficult to ascertain the exact amount that the skimmers might have stolen from depositors’ account. Nor can it be claimed with certainty that no more ATM skimming complaints would pour in, FIA officials reckon.
These officials also say, and bankers confirm, that HBL is not the only bank whose depositors have fallen victim to ATM fraud. It is just that in the recent case, a large number of skimming complaints have surfaced in one go.
Back in June 2016, the SBP required all banks to develop infrastructure for adopting Europay Master Card Visa (EMV) standards by June 30, 2018 as part of enhanced PCS regulations, according to a Dec 5 press release.
The use of ATMs has been growing rapidly in Pakistan. About 110m ATM transactions valuing Rs960bn took place in the nine months through March, according to SBP
Debit cards of EMV standards, featuring a chip and two-factor authentication “are now considered the most effective countermeasure for card cloning through skimming globally”, the SBP has reminded banks.
Even if all debit cards comply with EMV standards, as they are supposed to, by June next year, it does not mean that chances for ATM skimming and debit card cloning by tech-savvy criminals would end automatically.
“Banks will also have to maximise their internal network security and sensitise their customers on taking some precautionary measures while using their cards,” says Muhammad Kashif, a software developer who also works for a leading local bank.
At the beginning of this month, the US Department of Homeland Security unearthed a skimming racket in Sacramento, California, and exposed how skimmers had managed to steal money from hundreds of local account holders of Golden 1 Credit Union ATMs between April and August this year. “This happened despite the fact that the account holders used EMV-compliant cards.”
One possible solution, as has been recommended by the SBP, is to promote the use of two-factor authentication process. BankIslami’s One Card, for example, allows its users to also use finger or thumb impression in addition to a PIN code for verification at ATMs.
SBP Deputy Governor Jameel Ahmad advised banks on Dec 7 to expedite the use of PayPak, a payment card developed under a domestic payment system 1Link, and urged them to ensure security of payment instruments to safeguard consumers’ money.
Over the years, the use of ATMs has been growing rapidly in Pakistan. According to SBP statistics, about 110m ATM transactions took place in just the nine months from July 2016 to March 2017, with the total value of these transactions exceeding Rs960 billion.
As banks continue to encourage their clients to use ATMs and as people experience the benefits doing so, these numbers are destined to grow. “We’ll do everything possible to prevent all sorts of tech frauds in the banking industry including ATM skimming, and keep a strict vigil on banks for any lapses on their part,” said a well-placed source in SBP.
Published in Dawn, The Business and Finance Weekly, December 11th, 2017